Popular Downloads:

Friday, May 21, 2010

Using WS-Security Username Token alone with Transport level security, HTTPS, is quite common. By default, Username token is used with WS-Security Signature. Lets look at how to configure WS-Security Username Token with WSF/PHP.

Since, by default, WSF/PHP tries to sign the username token credentials, you would need to specify client certificate and the private key for configuring Username Token.

I have copied a code snippet from the username token sample. As you can see, we are only configuring username token by using the option useUsernameToken in the policy configuration. However, for the WSSecurityToken configuration, I have passed both the “privateKey” option and “certificate” option. The private key refer to the client’s private key and certificate refer to client’s certificate which contains the public key of the client. This is because, by default, UsernameToken uses signature to enhance security of username token.

Often you would need to use https transport and plaintext username password instead of a signed username token. You can easily enable this option by specifying a policy file and an empty transportBinding element within it as follows.

So is this the only way to use UsernameToken without a client cert? That is, do you have to provide a custom policy file if you do not want to provide a privateKey and certificate in the WSSecurityToken. Or can you just simply create a WSSecurityToken without the privateKey and certificate attributes?